实验环境:
  公司游戏上线,需要搭建一条×××通道供认证与计费系统对不同地区内部通信,还有日常维护服务器也是通过×××连接.从此达到一个安全加密的环境
 
解决方案:采用Juniper netscreen SSG140-SB自动×××功能来解决这个问题,由于要架设很多点,设置几乎都一样,就以上海机房与长春机房做个范例
 
步骤如下 :
1. 定义TrustUntrust接口 IP 地址。
2. 为本地及远程端生成通讯ip地址段。
3. 定义远程网关
4. 创建“自动密钥 IKE ××× ”。
5. 设置到外部路由器的缺省路由。
6. 配置策略。
 
实验图
 
Juniper netscreen SSG140-SB 点对点基于策略×××.自动密钥IKE_第1张图片
 
 
WebUI ( 上海IDC )
 
1. 接口
Network > Interfaces > ethernet0/0 à Edit  输入以下内容后单击 OK :
Zone Name: Trust
Static IP: (选择) Address/Netmask: 10.1.1.1/24
Interface Mode: NAT
Network > Interfaces > ethernet0/1 à Edit
Zone Name: Untrust
Static IP: IP Address/Netmask: 1.1.1.1/24
Interface Mode:Route
 
2. 地址
Policy > Policy Elements > Addresses > List > New  输入以下内容后单击 OK :
 Address Name:SH-IDC
IP Address/Domain Name:
IP/Netmask: ( 选择 ) 10.1.1.0/24
Zone: Trust
Policy > Policy Elements > Addresses > List > New: 输入以下内容后单击 OK :
Address Name: CC-IDC
IP Address/Domain Name:
IP/Netmask: ( 选择 ), 10.2.2.0/24
Zone: Untrust
 
3. ×××
×××s > AutoKey Advanced > Gateway > New: 输入以下内容后单击 OK :
Gateway Name: CC-IDC
Version :(选择) IKEv1
Remote Gateway Type:
Static IP Address: ( 选择 ), IP Address/Hostname: 2.2.2.254
Advanced—> Preshared Keyshanghai_***_changchun(必须要8位及以上,因为netscreen remote client 要求必须8位以上)
Security Level à  Predefined à Standard    选择standard
Mode (Initiator)   Main (ID Protection)    Aggressive   选择aggressive速度会快点
 
   
   
 Return
 
×××s > AutoKey IKE > New: 输入以下内容,然后单击 OK :
××× Name: SH-IDC_TO_CC-IDC
Remote Gateway: Predefined: ( 选择 ), CC-IDC
Advanced—>  Security Level
Predefined
Standard  Compatible  Basic  
Return
 
4. 路由
Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK :
Network Address/Netmask: 0.0.0.0/0
Gateway: ( 选择 )
Interface: ethernet0/1
Gateway IP Address: 1.1.1.254
 
5. 策略
Policies > (From: Trust, To: Untrust) New: 输入以下内容,然后单击 OK :
Name:
Source Address:
Address Book Entry: ( 选择 ), SH-IDC
Destination Address:
Address Book Entry: ( 选择 ), CC-IDC
Service: ANY
Action: Tunnel
Tunnel ×××: SH-IDC_TO_CC-IDC
Modify matching bidirectional ××× policy: ( 选择打勾 )
Position at Top: ( 选择 )
 
 
 
WebUI ( 长春IDC )
 
1. 接口
Network > Interfaces > ethernet0/0 à Edit  输入以下内容后单击 OK :
Zone Name: Trust
Static IP: (选择) Address/Netmask: 10.2.2.2/24
Interface Mode: NAT
Network > Interfaces > ethernet0/1 à Edit
Zone Name: Untrust
Static IP: IP Address/Netmask: 2.2.2.2/24
Interface Mode:Route
 
2. 地址
Policy > Policy Elements > Addresses > List > New  输入以下内容后单击 OK :
 Address Name: CC-IDC
IP Address/Domain Name:
IP/Netmask: ( 选择 ) 10.2.2.0/24
Zone: Trust
Policy > Policy Elements > Addresses > List > New: 输入以下内容后单击 OK :
Address Name: SH-IDC
IP Address/Domain Name:
IP/Netmask: ( 选择 ), 10.1.1.0/24
Zone: Untrust
 
3. ×××
×××s > AutoKey Advanced > Gateway > New: 输入以下内容后单击 OK :
Gateway Name: SH-IDC
Version :(选择) IKEv1
Remote Gateway Type:
Static IP Address: ( 选择 ), IP Address/Hostname:1.1.1.254
Advanced—> Preshared Keyshanghai_***_changchun(必须要8位及以上,因为netscreen remote client 要求必须8位以上)
Security Level à  Predefined à Standard
Mode (Initiator)   Main (ID Protection)    Aggressive
 
 
   
 Return
 
×××s > AutoKey IKE > New: 输入以下内容,然后单击 OK :
××× Name: SH-IDC_TO_CC-IDC
Remote Gateway: Predefined: ( 选择 ), SH-IDC
Advanced—> Security Level
Predefined
Standard  Compatible  Basic   选择standard
Return
 
4. 路由
Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK :
Network Address/Netmask: 0.0.0.0/0
Gateway: ( 选择 )
Interface: ethernet0/1
Gateway IP Address: 2.2.2.254
 
5. 策略
Policies > (From: Trust, To: Untrust) New: 输入以下内容,然后单击 OK :
Name:
Source Address:
Address Book Entry: ( 选择 ), CC-IDC
Destination Address:
Address Book Entry: ( 选择 ), SH-IDC
Service: ANY
Action: Tunnel
Tunnel ×××: SH-IDC_TO_CC-IDC
Modify matching bidirectional ××× policy: ( 选择打勾 )
Position at Top: ( 选择 )